20145236 "Network Confrontation" Exp 6 Information Collection and Vulnerability Scanning

20145236 "Network Confrontation" Exp 6 Information Collection and Vulnerability Scanning

1. Answers to basic questions

1. Which organizations are responsible for DNS, IP management?

• The Internet Corporation for Assigned Names and Numbers, or ICANN for short, determines the allocation of domain names and IP addresses. ICANN is a non-profit organization established to undertake the functions of domain name system management, IP address allocation, protocol parameter configuration, and main server system management. .
• ICANN is responsible for coordinating and managing the technical elements of the DNS to ensure universal resolvability so that all Internet users can find valid addresses.
• There are three supporting organizations under ICANN, of which the Address Supporting Organization (ASO) is responsible for the management of the IP address system; the Domain Name Supporting Organization (DNSO) is responsible for the management of the Domain Name System (DNS) on the Internet.

1. What is 3R information?

• Registrant, Registrar, Official Registry
• 3R registration information: scattered in the database maintained by the official registry or the registrar

2. Experimental summary and experience

This experiment mainly obtained information through information collection and vulnerability scanning. The open ports and scanned vulnerabilities in this information can be used to attack the scanned target machine. Because it is not a fine scan, it is difficult for us to really analyze what is extraordinary, but through operations such as route tracing, I further realize that in the era of big data, we have left thousands of wires when we use the network. Thousands of traces. There is a saying that people in the Internet age actually have no privacy. Just by knowing an IP address, we can dig out the model, system vulnerability, registrant's name, etc. of the IP address. These things are dug deeper and deeper, really thoughtful. fear.

Third, the practice process record

(1) Information collection

whois

1. Use the whoisquery DNS registrant and contact information, enter directly in the kali terminal: whois taobao.com, the following is the query result, we can see the registered company, there are 4 servers, and the basic registered province, fax, telephone and other information.

1. The 3R registration information can be obtained from the above figure, including the registrant's name, organization, city and other information.

nslookup, dig query

1. Or take Taobao as an example for dig query:
   
2. Next, use the nslookupcommand to query. The nslookupdifference digis that nslookupyou can get the result of the cache saved by the DNS resolution server, but it is not necessarily accurate, and digyou can query the exact result from the official DNS server:
   
3. You can also query by IP anti-domain name :
   
4. You can use (shodan search engine) [ https://www.shodan.io/ ] to query to get some registration information:
   

tracert route detection

• The following is the query result under linux. We can query these routes or the geographical location of the machine through ip, and analyze the route taken by the data packet.
  

• I thought it was because qq was protected against routing traces, but I found out that if traceroute is used on linux, the udp protocol is used by default. Except for the first hop, the rest are all ***, 80% of which is because of the virtual machine nat router , packets to be dropped port>32767by default.

• under Windows
  

• The request timeout in the middle part should be due to some network devices that do not allow ping and tracert

search engine query technology

• site: Search is limited to a specific site
  • If you know that there is something you need to find in a certain site, you can limit the search scope to this site to improve query efficiency.
• Filetype: The search scope is limited to the specified document format
  • The query word can be limited to appear in the specified document using the Filetype syntax, and the supported document formats are pdf, doc, xls, ppt, rtf, all (all the above document formats). Very helpful for finding documentation.
• intitle: Search is limited to the page title
  • The title of a web page is usually a general summary of the content of the web page. Restricting the content of the query to the title of the page can sometimes achieve good results.
• 双引号“”和书名号《》精确匹配：
  • If the query word is enclosed in double quotation marks "", it means that the query word cannot be split, and must appear in the search result in its entirety, so that the query word can be matched exactly. If the double quotation marks "" are not added, they may be split after Baidu analysis.
  • The query word plus the book title number "" has two special functions, one is that the book title number will appear in the search results; the other is that the content expanded by the book title number will not be split. The title number is particularly effective in some cases. For example, the query word is mobile phone. If the book title number is not added, the communication tool mobile phone will come out in many cases. After adding the book title number, the results of "Mobile Phone" are all about movies.
• eg:
  

netdiscover discovery

• Under linux, you can directly perform host detection on the private network segment 192.168 .. by executing the netdiscover command
  

NMAP scan

• Host discovery:nmap -sn 192.168.85.*

• 192.168.85.254Scan the target host using TCP/SYN method :

• Scan the UDP port, you can see the port information using the UDP protocol